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Abstract 


This document describes two methods for producing an integritv check 
value from a Diffie-Hellman kev pair and one method for producing an 
integritv check value from an Elliptic Curve kev pair. This behavior 
is needed for such operations as creating the signature of a Public- 
Key Cryptography Standards (PKCS) #10 Certification Request. These 
algorithms are designed to provide a Proof-of-Possession of the 
private key and not to be a general purpose signing algorithm. 


This document obsoletes RFC 2875. 
Status of This Memo 
This is an Internet Standards Track document. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Further information on 


Internet Standards is available in Section 2 of RFC 5741. 
Information about the current status of this document, any errata, 


and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc6955. 
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Schaad & Prafullchandra Standards Track [Page 2] 


RFC 6955 DH POP Algorithms Mav 20 


Table of Contents 


die SEE RONUE ECON iew i.e oo hots tree de AR f iu it aa B ke e Es ate kenn 
Wiles «Changes since. REG ‘AO LS: i A a lt A see ASA 
1.25. Rêguirements TErminology ente iaa 
2 TEMINOLOQU ka ENES BEF er aia a ise fese A as, ane A B Ye DT Yok haus: E ame a a 
Sir NOU BEL OLD sr kan dye taa aa A Yo a Series a 


Vwè. ASN, mncoditiġi Son. ‘se te SØDE i ver aaa ale a aa po: ota 

>. Discrete Logarithm: Signature cs sia eee ané la e ak see mia a ke a ase ae lee oh sma B 
Sethe Expanding’ the Digest Value: isir e bazi ke iss ak stele ea Care ete anana 
5.2. Siġfaturċ: Computation Algorithm eiii 
S23... Signature Verification Algorithm tec see a ila Gis eee ene Bl aie ene 
BA ASN ID ENCON eile eed ai e rak eve eM aera RE aa 

6. Static ECDH Proof-of-Possession: Process. wii ee bed b savé valè e lè lane w late 
Or Ls ASN ls ENCOGING «soso caveat ore kG a e BLE Suv ae ele exes 

TE Security. Cons der at TONS. i Na i eae Soe ai UR a B 
Gi RE LTC ii Ste eee ya nea Ghd ee Ne ce ol oye tele algae i Svea aide os 
8:1: Normative: References: Cite ata U lected ħa ki te fl AND; das 
8::2:: dnfoftmative. References sti sel ji ais 
Appendix As ASN ¿MOUSE e fir a, vèt yan e fek a e a e A eta syen se 
Al: 20087: WSN £15 MOULE: etre eat sar eee a vende, a aa Bl ar oye sò kila tèt, ek i he 
Pos Zi 1988: ASN si MOUIN i i ie ika a eat a ee See o ee la wR m aaa seke SRB eS 
Appendix B. Example of Static DH Proof-of-Possession .............. 
Appendix C. Example of Discrete Log Signature ..................... 


Introduction 


Among the responsibilities of a Certification Authority (CA) in 
issuing certificates is a requirement that it verifies the identity 
for the entity to which it is issuing a certificate and that the 
private key for the public key to be placed in the certificate is i 
the possession of that entity. The process of validating that the 
private key is held by the requester of the certificate is called 
Proof-of-Possession (POP). Further details on why POP is important 
can be found in Appendix C of RFC 4211 [CRMF]. 


13 


n 


This document is designed to deal with the problem of how to support 
POP for encryption-only keys. PKCS #10 [RFC2986] and the Certificate 


Request Message Format (CRMF) [CRMF] both define syntaxes for 


Certification Requests. However, while CRMF supports an alternative 


method to support POP for encryption-only keys, PKCS #10 does not. 
PKCS #10 assumes that the public key being requested for 
certification corresponds to an algorithm that is capable of 
producing a POP by a signature operation. Diffie-Hellman (DH) and 
Elliptic Curve Diffie-Hellman (ECDH) are key agreement algorithms 
and, as such, cannot be directly used for signing or encryption. 
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This document describes a set of three POP algorithms. Two methods 
use the key agreement process (one for DH and one for ECDH) to 
provide a shared secret as the basis of an integrity check value. 

For these methods, the value is constructed for a specific recipient/ 
verifier by using a public key of that verifier. The third method 
uses a modified signature algorithm (for DH). This method allows for 
arbitrary verifiers. 


It should be noted that we did not create an algorithm that parallels 
the Elliptical Curve Digital Signature Algorithm (ECDSA) as was done 
for the Digital Signature Algorithm (DSA). When using ECDH, the 
common practice is to use one of a set of predefined curves; each of 
these curves has been designed to be paired with one of the commonly 
used hash algorithms. This differs in practice from the DH case 
where the common practice is to generate a set of group parameters, 
either on a single machine or for a given community, that are aligned 
to encryption algorithms rather than hash algorithms. The 
implication is that, if a key has the ability to perform the modified 
DSA algorithm for ECDSA, it should be able to use the correct hash 
algorithm and perform the regular ECDSA signature algorithm with the 
correctly sized hash. 


1.1. Changes since RFC 2875 
The following changes have been made: 


o The Static DH POP algorithm has been rewritten for 
parameterization of the hash algorithm and the Message 
Authentication Code (MAC) algorithm. 


o New instances of the Static DH POP algorithm have been created 
using the Hashed Message Authentication Code (HMAC) paired with 
the SHA-224, SHA-256, SHA-384, and SHA-512 hash algorithms. 
However, the current SHA-1 algorithm remains identical. 


o The Discrete Logarithm Signature algorithm has been rewritten for 
parameterization of the hash algorithm. 


o New instances of the Discrete Logarithm Signature have been 
created for the SHA-224, SHA-256, SHA-384, and SHA-512 hash 
functions. However, the current SHA-1 algorithm remains 
identical. 


o A new Static ECDH POP algorithm has been added. 
o New instances of the Static ECDH POP algorithm have been created 


using HMAC paired with the SHA-224, SHA-256, SHA-384, and SHA-512 
hash functions. 
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1.2. Requirements Terminology 


The key words "MUST", "MUST NOT", 'REQUIRED', "SHALL", "SHALL NOT", 
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in [RFC2119]. 


When the words are in lower case they have their natural language 
meaning. 


2. Terminology 
The following definitions will be used in this document: 


DH certificate = a certificate whose SubjectPublicKey is a DH public 
value and is signed with anv signature algorithm (e.g., RSA or DSA). 


ECDH certificate — a certificate whose SubjectPublicKev is an ECDH 
public value and is signed with anv signature algorithm (e.g., RSA 
or ECDSA). 


Proof-of-Possession (POP) = a means that provides a method for a 
second party to perform an algorithm to establish with some degree of 
assurance that the first party does possess and has the ability to 
use a private key. The reasoning behind doing POP can be found in 
Appendix C in [CRMF]. 


3. Notation 


This section describes mathematical notations, conventions, and 
symbols used throughout this document. 


b Concatenation of a and b 

b za raised to the power of b 

od b : a modulo b 

b : a divided bv b using integer division 

b a times b 
Depending on context, multiplication may be within 
an EC or normal multiplication 


ooo ow m 


KDF (a) : Key Derivation Function producing a value from a 
MAC (a, b) : Message Authentication Code function where 
a is the key and b is the text 
LEFTMOST (a, b) : Return the b left most bits of a 
FLOOR (a) : Return n where n is the largest integer such that 
n<=a 
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Details on how to implement the HMAC version of a MAC function used 
in this document can be found in RFC 2104 [RFC2104], RFC 6234 
[RFC6234], and RFC 4231 [RFC4231]. 


4. Static DH Proof-of-Possession Process 


The Static DH POP algorithm is set up to use a Key Derivation 


Function (KDF) and a MAC. This algorithm requires that a common set 
of group parameters be used by both the creator and verifier of the 
POP value. 


The steps for creating a DH POP are: 


1. An entity (E) chooses the group parameters for a DH key 
agreement. 


This is done simply by selecting the group parameters from a 
certificate for the recipient of the POP process. A certificate 
with the correct group parameters has to be available. 

Let the common DH parameters be g and p; and let the DH key pair 
from the certificate be known as the recipient (R) key pair (Rpub 
and Rpriv). 

Rpub = g*x mod p (where x=Rpriv, the private DH value) 


2. The entity generates a DH public/private key pair using the group 
parameters from step 1. 


For an entity (E): 


Epriv = DH private value = y 
Epub = DH public value = g'v mod p 
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The POP computation process will then consist of the following 
steps: 


(a) 


(d) 


The value to be signed (text) is obtained. (For a PKCS #10 
object, the value is the DER-encoded 
certificationRequestInfo field represented as an octet 
string.) 


A shared DH secret is computed as follows: 


shared secret = ZZ = g” (x*y) mod p 

[This is done by E as Rpub'v and by the recipient as Epub'x, 
where Rpub is retrieved from the recipient’s DH certificate 
(or is provided in the protocol) and Epub is retrieved from 
the Certification Request.] 


A temporary key K is derived from the shared secret ZZ as 
follows: 


K = KDF(LeadingInfo | zz | Trailinginfo) 


LeadingInfo ::= Subject Distinguished Name from 
recipient’s certificate 


Trailinginfo ::= Issuer Distinguished Name from 
recipient’s certificate 


Using the defined MAC function, compute MAC(K, text). 


The POP verification process requires the recipient to carry out 


steps (a) through (d) and then simply compare the result of step (d) 
with what it received as the signature component. If they match, 
then the following can be concluded: 

(a) The entity possesses the private key corresponding to the public 
key in the Certification Request because it needs the private 
key to calculate the shared secret; and 

(b) Only the recipient that the entity sent the request to could 


actually verify the request because it would require its own 
private key to compute the same shared secret. In the case 
where the recipient is a CA, this protects the entity from 
rogue CAS. 


Schaad & Prafullchandra Standards Track [Page 7] 


RFC 6955 DH POP Algorithms Mav 2013 


4.1. ASN.1 Encoding 


The algorithm outlined above allows for the use of an arbitrary hash 
function in computing the temporary key and the MAC algorithm. In 
this specification, we define object identifiers for the SHA-1, 
SHA-224, SHA-256, SHA-384, and SHA-512 hash values and use HMAC for 
the MAC algorithm. The ASN.1 structures associated with the Static 
DH POP algorithm are: 


DhSigStatic ::= SEQUENCE { 
issuerAndSerial IssuerAndSerialNumber OPTIONAL, 
hashValue MessageDigest 

} 

sa-dhPop-static-shal-hmac-shal SIGNATURE-ALGORITHM ::= { 


IDENTIFIER id-dhPop-static-shal-hmac-shal 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-dh ) 
} 


id-dh-sig-hmac-shal OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 3 


} 


id-dhPop-static-shal-hmac-shal OBJECT IDENTIFIER ::= 
id-dh-sig-hmac-shal 


Il 
~ 


sa-dhPop-static-sha224-hmac-sha224 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dhPop-static-sha224-hmac-sha224 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-dh } 

} 


Il 
~ 


id-alg-dhPop-static-sha224-hmac-sha224 OBJECT IDENTIFIER 
id-pkix id-alg(6) 15 
} 


sa-dhPop-static-sha256-hmac-sha256 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-dhPop-static-sha256-hmac-sha256 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-dh } 
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id-alg-dhPop-static-sha256-hmac-sha256 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 16 


} 


sa-dhPop-static-sha384-hmac-sha384 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-dhPop-static-sha384-hmac-sha384 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-dh ) 

} 


id-alg-dhPop-static-sha384-hmac-sha384 OBJECT IDENTIFIER ::= ( 
id-pkix id-alg(6) 17 


} 


sa-dhPop-static-sha512-hmac-sha512 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dhPop-static-sha512-hmac-sha512 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-dh } 


Il 
a 


) 


id-alg-dhPop-static-sha512-hmac-sha512 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 18 
} 


In the above ASN.1, the following items are defined: 


DhSigStatic 
This ASN.1 type structure holds the information describing the 
Signature. The structure has the following fields: 


issuerAndSerial 
This field contains the issuer name and serial number of the 
certificate from which the public key was obtained. The 
issuerAndSerial field is omitted if the public key did not come 
from a certificate. 


hashValue 
This field contains the result of the MAC operation in 
step 3(d) (Section 4). 


sa-dhPop-static-shal-hmac-shal 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing a signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 
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id-dhPop-static-shal-hmac-shal 
This OID identifies the Static DH POP algorithm that uses SHA-1 as 
the KDF and HMAC-SHAl as the MAC function. The new OID was 
created for naming consistency with the other OIDs defined here. 
The value of the OID is the same value as id-dh-sig-hmac-shal, 
which was defined in the previous version of this document 
[RFC2875]. 


sa-dhPop-static-sha224-hmac-sha224 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 


id-dhPop-static-sha224—hmac-sha224 
This OID identifies the Static DH POP algorithm that uses SHA-224 
as the KDF and HMAC-SHA224 as the MAC function. 


sa-dhPop-static-sha256-hmac-sha256 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 


id-dhPop-rstatic-sha256-hmac-sha256 
This OID identifies the Static DH POP algorithm that uses SHA-256 
as the KDF and HMAC-SHA256 as the MAC function. 


sa-dhPop-static-sha384—hmac-sha384 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 


id-dhPop-static-sha384-hmac-sha384 
This OID identifies the Static DH POP algorithm that uses SHA-384 
as the KDF and HMAC-SHA384 as the MAC function. 


sa-dhPop-static-sha512-hmac-sha512 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 


id-dhPop-static-sha512-hmac-sha512 
This OID identifies the Static DH POP algorithm that uses SHA-512 
as the KDF and HMAC-SHA512 as the MAC function. 
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Discrete Logarithm Signature 


When a single set of parameters is 


the chance that a collision will occur in the set of keys, 
increases as the number of keys used increases. 


accident or design, 


DH POP Algorithms 


May 2013 


used for a large group of keys, 
either by 


A large number of keys from a single parameter set also encourages 


the use of brute force methods of attack, 


as the entire set of keys 


in the parameters can be attacked in a single operation rather than 
having to attack each key parameter set individually. 


For this reason, we need to create 
require the use of a common set of 


This POP algorithm is based on DSA, 


restrictions dealing with the hash 
[FIPS-186-3] standard. The use of 
additional restrictions on the set 


if the key-generation algorithm documented in [RFC2631] 
The additional restrictions are the 


required restrictions are met. 
requirement for the existence of a 
parameter is generally accepted as 


checking of small subgroup attacks. 


The following definitions are used 


p is a large prime 

g = h*((p-1)/q) mod p, 

where h is any integer 1 < h < pri 
(g has order q mod p) 

is a large prime 

is a large integer such that p = 
is a randomly or pseudo-randomly 
y = g'x mod p 

HASH is a hash function such that 

b= 


Kou 


Note: 


Expanding the Digest Value 


Besides the addition of a q parameter, 
The length of q must be 160 bits 


restrictions on the parameters. 
(matching the output length of the 
length of p must be 1024 bits. 
eliminated in this document, 
replaced with the requirement that 
length. 
restriction on b is identical with 


the output size of HASH in bits 


(If the hash function is SHA-1, 


Standards Track 


a POP for DH keys that does not 
parameters. 


but we have removed the 

and key sizes imposed by the 

this method does impose some 

of keys that may be used; however, 
is used, the 


Adding the q 
as it allows for 


q parameter. 
a good practice, 


in the rest of this section: 


such that h*((p-1)/q) mod p > 1 


q*j + 1 
generated integer with 1 « x <q 


These definitions match the ones in [RFC2631]. 


[FIPS-186-3] also imposes size 


SHA-1 digest algorithm), and the 


The size restriction on p is 
but the size restriction on q is 


q must be at least b bits in 
then b=160 bits and the size 
that in [FIPS-186-3].) Given that 
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there is not a random length-hashing algorithm, a hash value of the 
message will need to be derived such that the hash is in the range 
from 0 to q-1. If the length of q is greater than b, then a method 
must be provided to expand the hash. 


The method for expanding the digest value used in this section does 
not provide anv additional securitv bevond the b bits provided bv the 
hash algorithm. For this reason, the hash algorithm should be the 
largest size possible to match q. The value being signed is 
increased mainlv to enhance the difficultv of reversing the signature 
process. 


This algorithm produces m, the value to be signed. 


Let L = the size of q (i.e., 2^L <= q < 2” (L+1)). 
Let M be the original message to be signed. 
Let b be the length of HASH output. 


1. Compute d = HASH(M), the digest of the original message. 
2. If L == b, then m= a. 


3. If L > b, then follow steps (a) through (d) below. 


(a) Set n = FLOOR(L / b) 
(b) Set m = d, the initial computed digest value 
(c) For i 0ton- 1 


m =m | HASH (m) 


2 
3 
Il 


LEFTMOST(m, L-1) 


Thus, the final result of the process meets the criteria that 
0 <= m < q. 


5.2. Signature Computation Algorithm 


The signature algorithm produces the pair of values (r, s), which is 
the signature. The signature is computed as follows: 


Given m, the value to be signed, as well as the parameters defined 
earlier in Section 5: 


1. Generate a random or pseudo-random integer k, such that 
0 « k-1 < a. 


2. Compute r = (g'k mod p) mod q. 
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3. 


4. 


Di 


543: 


If r is zero, repeat from step 1. 
Compute s = ((k*-1) * (m + x*r)) mod q. 
If s is zero, repeat from step 1. 


Signature Verification Algorithm 


The signature verification process is far more complicated than is 
normal for DSA, as some assumptions about the validity of parameters 
cannot be taken for granted. 


Given a value m to be validated, the signature value pair (r, s) and 
the parameters for the key: 


l. 


2. 


Perform a strong verification that p is a prime number. 
Perform a strong verification that q is a prime number. 
Verifv that q is a factor of p-1; if anv of the above checks 
fail, then the signature cannot be verified and must be 
considered a failure. 


Verify that r and s are in the range [1, q-1]. 


Compute w = (s'-1) mod q. 


Compute ul = m*w mod q. 
Compute u2 = r*w mod a. 
Compute v = ((g'ul $ v'u2) mod p) mod q. 


Compare v and r; if thev are the same, then the signature 
verified correctiv. 
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5.4. ASN.1 Encoding 


The signature algorithm is parameterized by the hash algorithm. The 
ASN.1 structures associated with the Discrete Logarithm Signature 
algorithm are: 


sa-dhPop-SHA1 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dh-pop 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES { mda-shal } 
PUBLIC-KEYS { pk-dh ) 


Il 
pou 


) 


id-alg-dhPop-shal OBJECT IDENTIFIER ::= id-alg-dh-pop 
id-alg-dh-pop OBJECT IDENTIFIER ::= ( id-pkix id-alg(6) 4 ) 
sa-dhPop-sha224 SIGNATURE-ALGORITHM ::= { 


IDENTIFIER id-alg-dhPop-sha224 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES ( mda-sha224 ) 
PUBLIC-KEYS ( pk-dh ) 
} 


id-alg-dhPop-sha224 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 5 


} 


sa-dhPop-sha256 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dhPop-sha256 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES ( mda-sha256 ) 
PUBLIC-KEYS ( pk-dh ) 


Il 
a 


) 


id-alg-dhPop-sha256 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 6 
} 
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sa-dhPop-sha384 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-dhPop-sha384 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES ( mda-sha384 ) 
PUBLIC-KEYS ( pk-dh ) 


) 


id-alg-dhPop-sha384 OBJECT IDENTIFIER ::= ( 
id-pkix id-alg(6) 7 


) 


sa-dhPop-sha512 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dhPop-sha512 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES ( mda-sha512 ) 
PUBLIC-KEYS ( pk-dh ) 


Il 
a 


) 


id-alg-dhPop-sha512 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 8 
} 


In the above ASN.1, the following items are defined: 


sa-dhPop-shal 
A SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DSA-Sig-Value represents the signature value, and the structure 
DomainParameters SHOULD be omitted in the signature but MUST be 
present in the associated kev request. 


id-alg-dhPop-shal 
This OID identifies the Discrete Logarithm Signature using SHA-1 
as the hash algorithm. The new OID was created for naming 
consistencv with the others defined here. The value of the OID is 
the same as id-alg-dh-pop, which was defined in the previous 
version of this document [RFC2875]. 


sa-dhPop-sha224 
A SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DSA-Sig-Value represents the signature value, and the structure 
DomainParameters SHOULD be omitted in the signature but MUST be 
present in the associated key request. 
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id-alg-dhPop-sha224 
This OID identifies the Discrete Logarithm Signature using SHA-224 
as the hash algorithm. 


sa-dhPop-sha256 
A SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DSA-Sig-Value represents the signature value, and the structure 
DomainParameters SHOULD be omitted in the signature but MUST be 
present in the associated kev request. 


id-alg-dhPop-sha256 
This OID identifies the Discrete Logarithm Signature using SHA-256 
as the hash algorithm. 


sa-dhPop-sha384 
A SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DSA-Sig-Value represents the signature value, and the structure 
DomainParameters SHOULD be omitted in the signature but MUST be 
present in the associated kev request. 


id-alg-dhPop-sha384 
This OID identifies the Discrete Logarithm Signature using SHA-384 
as the hash algorithm. 


sa-dhPop-sha512 
A SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DSA-Sig-Value represents the signature value, and the structure 
DomainParameters SHOULD be omitted in the signature but MUST be 
present in the associated key request. 


id-alg-dhPop-sha512 
This OID identifies the Discrete Logarithm Signature using SHA-512 
as the hash algorithm. 


6. Static ECDH Proof-of-Possession Process 


The Static ECDH POP algorithm is set up to use a KDF and a MAC. This 
algorithm requires that a common set of group parameters be used by 
both the creator and the verifier of the POP value. Full details of 
how Elliptic Curve Cryptography (ECC) works can be found in RFC 6090 
[RFC6090]. 
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The steps for creating an ECDH POP are: 


t; 


An entity (E) chooses the group parameters for an ECDH key 
agreement. 


This is done simply by selecting the group parameters from a 
certificate for the recipient of the POP process. A certificate 
with the correct group parameters has to be available. 


The ECDH parameters can be identified either by a named group or 
by a set of curve parameters. Section 2.3.5 of RFC 3279 
[RFC3279] documents how the parameters are encoded for PKIX 
certificates. For PKIX-based applications, the parameters will 
almost always be defined by a named group. Designate G as the 
group from the ECDH parameters. Let the ECDH key pair associated 
with the certificate be known as the recipient key pair (Rpub 

and Rpriv). 


Rpub = Rpriv * G 


The entity generates an ECDH public/private key pair using the 
parameters from step 1. 


For an entity (E): 


Epriv = entity private value 
Epub = ECDH public point = Epriv * G 


The POP computation process will then consist of the following 
steps: 


(a) The value to be signed (text) is obtained. (For a PKCS #10 
object, the value is the DER-encoded 
certificationRequestInfo field represented as an octet 
string.) 

(b) A shared ECDH secret is computed as follows: 


shared secret point (x, y) = Epriv * Rpub = Rpriv * Epub 


shared secret value ZZ is the x coordinate of the computed 
point 
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(c) A temporary key K is derived from the shared secret ZZ as 
follows: 


K — KDF (LeadingInfo | ZZ | TrailingInfo) 


LeadingInfo ::= Subject Distinguished Name from certificate 
TrailingInfo ::= Issuer Distinguished Name from certificate 


(d) Compute MAC (K, text). 


The POP verification process requires the recipient to carry out 
steps (a) through (d) and then simply compare the result of step (d) 
with what it received as the signature component. If they match, 
then the following can be concluded: 


(a) The entity possesses the private key corresponding to the public 
key in the Certification Request because it needed the private 
key to calculate the shared secret; and 


(b) Only the recipient that the entity sent the request to could 
actually verify the request because it would require its own 
private key to compute the same shared secret. In the case 
where the recipient is a CA, this protects the entity from 
rogue CAs. 


6.1. ASN.1 Encoding 


The algorithm outlined above allows for the use of an arbitrary hash 
function in computing the temporary key and the MAC value. In this 
specification, we define object identifiers for the SHA-1, SHA-224, 
SHA-256, SHA-384, and SHA-512 hash values. The ASN.1 structures 
associated with the Static ECDH POP algorithm are: 


id-alg-ecdhPop-static-sha224-hmac-sha224 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 25 


} 


sa-ecdhPop-sha224-hmac-sha224 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-ecdhPop-static-sha224-hmac-sha224 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-ec } 


Schaad & Prafullchandra Standards Track [Page 18] 


RFC 6955 DH POP Algorithms Mav 2013 


id-alg-ecdhPop-static-sha256-hmac-sha256 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 26 


} 


sa-ecdhPop-sha256-hmac-sha256 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-ecdhPop-static-sha256-hmac-sha256 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-ec } 

} 


id-alg-ecdhPop-static-sha384-hmac-sha384 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 27 


} 


sa-ecdhPop-sha384-hmac-sha384 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-ecdhPop-static-sha384—hmac-sha384 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-ec } 

} 


id-algrecdhPop-static-sha512-hmac-sha512 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 28 
} 


sa-ecdhPop-sha512-hmac-sha512 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-ecdhPop-static-sha512-hmac-sha512 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-ec } 

} 


These items reuse the DhSigStatic structure defined in Section 4. 
When used with these algorithms, the value to be placed in the field 
hashValue is that computed in step 3(d) (Section 6). In the above 
ASN.1, the following items are defined: 


sa-ecdhPop-static-sha224-hmac-sha224 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 


id-ecdhPop-static-sha224-hmac-sha224 
This OID identifies the Static ECDH POP algorithm that uses 
SHA-224 as the KDF and HMAC-SHA224 as the MAC function. 
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sa-ecdhPop-static-sha256-hmac-sha256 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 


id-ecdhPop-static-sha256-hmac-sha256 
This OID identifies the Static ECDH POP algorithm that uses 
SHA-256 as the KDF and HMAC-SHA256 as the MAC function. 


sa-ecdhPop-static-sha384-hmac-sha384 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 


id-ecdhPop-static-sha384-hmac-sha384 
This OID identifies the Static ECDH POP algorithm that uses 
SHA-384 as the KDF and HMAC-SHA384 as the MAC function. 


sa-ecdhPop-static-sha512-hmac-sha512 
An ASN.1 SIGNATURE-ALGORITHM object that associates together the 
information describing this signature algorithm. The structure 
DhSigStatic represents the signature value, and the parameters 
MUST be absent. 


id-ecdhPop-static-sha512-hmac-sha512 
This OID identifies the Static ECDH POP algorithm that uses 
SHA-512 as the KDF and HMAC-SHA512 as the MAC function. 


7. Security Considerations 


None of the algorithms defined in this document are meant for use in 


general purpose situations. These algorithms are designed and 
purposed solely for use in doing POP with PKCS #10 and CRMF 
constructs. 


In the Static DH POP and Static ECDH POP algorithms, an appropriate 
value can be produced by either party. Thus, these algorithms only 
provide integrity and not origination service. The Discrete 
Logarithm Signature algorithm provides both integrity checking and 
origination checking. 


All the security in this system is provided by the secrecy of the 
private keying material. If either sender or recipient private keys 
are disclosed, all messages sent or received using those keys are 
compromised. Similarly, the loss of a private key results in an 
inability to read messages sent using that key. 
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8. 


8. 


Selection of parameters can be of paramount importance. In the 
selection of parameters, one must take into account the communitv/ 
group of entities that one wishes to be able to communicate with. In 
choosing a set of parameters, one must also be sure to avoid small 
groups. [FIPS-186-3] Appendixes A and B.2 contain information on the 
selection of parameters for DH. Section 10 of [RFC6090] contains 
information on the selection of parameters for ECC. The practices 
outlined in these documents will lead to better selection of 
parameters. 
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ASN.1 Modules 


ASN.1 Module 


This appendix contains an ASN.1 module that is conformant with the 
2008 version of ASN.1. This module references the object classes 


defined 


associations between the elements defined in this document. 


by [RFC5912] to more completely describe all of the 


difference exists between the module in this section and the 1988 


module, 


DH-Sign 


the 2008 module is the definitive module. 


{ iso(1) identified-organization(3) dod(6) internet (1) 
security(5) mechanisms(5) pkix(7) id-mod(0) 
id-mod-dhSign-2012-08(80) } 

DEFINITIONS IMPLICIT TAGS ::= 


BEGIN 


—- EXPORTS ALL 


— The types and values defined in this module are exported for use 


— in the other ASN.1 modules. Other applications may use them 
—- for their own purposes. 


IMPORTS 


SIGNATURE-ALGORITHM 
FROM Algorithminformation-2009 


( 


iso(1) identified-organization(3) dod(6) internet (1) 


security(5) mechanisms(5) pkix(7) id-mod(0) 


id-mod-algorithmInformation-02(58) } 


IssuerAndSerialNumber, MessageDigest 


FROM 
{ 


CrvptographicMessageSvntax-2010 
iso (1) member-body(2) us(840) rsadsi (113549) pkcs (1) 


pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 


DSA-Sig-Value, DomainParameters, ECDSA-Sig-Value, 
mda-shal, mda-sha224, mda-sha256, mda-sha384, mda-sha512, 
pk-dh, pk-ec 

FROM PKIXAlgs-2009 


( 


iso (1) identified-organization(3) dod(6) internet (1) 
security (5) mechanisms (5) pkix (7) id-mod(0) 
id-mod-pkixl-algorithms2008-02 (56) } 


id-pkix 
FROM PKIXIExplicit-2009 


( 


iso(1) identified-organization(3) dod(6) internet (1) 
security(5) mechanisms(5) pkix(7) id-mod(0) 
id-mod-pkixl-explicit-02(51) ); 


Where a 
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DhSigStatic ::= SEQUENCE ( 
issuerAndSerial IssuerAndSerialNumber OPTIONAL, 
hashValue MessageDigest 


} 


sa-dhPop-static-shal-hmac-shal SIGNATURE-ALGORITHM 
IDENTIFIER id-dhPop-static-shal-hmac-shal 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-dh ) 


{ 


} 


id-dh-sig-hmac-shal OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 3 


} 


id-dhPop-static-shal-hmac-shal OBJECT IDENTIFIER ::= 
id-dh-sig-hmac-shal 


sa-dhPop-static-sha224—hmac-sha224 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dhPop-static-sha224-hmac-sha224 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS ( pk-dh ) 


Il 
pou 


) 


id-alg-dhPop-static-sha224-hmac-sha224 OBJECT IDENTIFIER 
id-pkix id-alg(6) 15 


Il 
~ 


} 


sa-dhPop-static-sha256-hmac-sha256 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dhPop-static-sha256-hmac-sha256 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-dh } 


Il 
a 


) 


id-alg-dhPop-static-sha256-hmac-sha256 OBJECT IDENTIFIER 
id-pkix id-alg(6) 16 


Il 
~ 


} 


sa-dhPop-static-sha384-hmac-sha384 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dhPop-static-sha384-hmac-sha384 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-dh } 


{ 
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id-alg-dhPop-static-sha384-hmac-sha384 OBJECT IDENTIFIER ::- ( 
id-pkix id-alg(6) 17 


) 


sa-dhPop-static-sha512-hmac-sha512 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-dhPop-static-sha512-hmac-sha512 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS ( pk-dh ) 

} 


id-alg-dhPop-static-sha512-hmac-sha512 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 18 


} 


sa-dhPop-SHA1 SIGNATURE-ALGORITHM { 

IDENTIFIER id-alg-dh-pop 

VALUE DSA-Sig-Value 

PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES { mda-shal } 

PUBLIC-KEYS { pk-dh ) 


} 


id-alg-dhPop-shal OBJECT IDENTIFIER ::= id-alg-dh-pop 
id-alg-dh-pop OBJECT IDENTIFIER ::- ( id-pkix id-alg(6) 4 ) 
sa-dhPop-sha224 SIGNATURE-ALGORITHM ::= { 


IDENTIFIER id-alg-dhPop-sha224 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES ( mda-sha224 ) 
PUBLIC-KEYS ( pk-dh ) 
) 


id-alg-dhPop-sha224 OBJECT IDENTIFIER ::= ( 
id-pkix id-alg(6) 5 


} 


sa-dhPop-sha256 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-dhPop-sha256 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES { mda-sha256 } 
PUBLIC-KEYS { pk-dh ) 
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id-alg-dhPop-sha256 OBJECT IDENTIFIER ::= ( 
id-pkix id-alg(6) 6 


) 


sa-dhPop-sha384 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-dhPop-sha384 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES ( mda-sha384 ) 
PUBLIC-KEYS ( pk-dh ) 

} 


id-alg-dhPop-sha384 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 7 


} 


sa-dhPop-sha512 SIGNATURE-ALGORITHM 
IDENTIFIER id-alg-dhPop-sha512 
VALUE DSA-Sig-Value 
PARAMS TYPE DomainParameters ARE preferredAbsent 
HASHES { mda-sha512 } 
PUBLIC-KEYS { pk-dh } 


Il 
a 


) 


id-alg-dhPop-sha512 OBJECT IDENTIFIER ::= ( 
id-pkix id-alg(6) 8 


) 


id-alg-ecdhPop-static-sha224-hmac-sha224 OBJECT IDENTIFIER ::= ( 
id-pkix id-alg(6) 25 


} 


sa-ecdhPop-sha224-hmac-sha224 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-ecdhPop-static-sha224-hmac-sha224 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-ec ) 

} 


id-alg-ecdhPop-static-sha256-hmac-sha256 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 26 


} 
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sa-ecdhPop-sha256-hmac-sha256 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-ecdhPop-static-sha256-hmac-sha256 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS { pk-ec ) 

) 


id-alg-ecdhPop-static-sha384-hmac-sha384 OBJECT IDENTIFIER ::= ( 
id-pkix id-alg(6) 27 


) 


sa-ecdhPop-sha384-hmac-sha384 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-ecdhPop-static-sha384-hmac-sha384 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS ( pk-ec ) 


) 


id-algrecdhPop-static-sha512-hmac-sha512 OBJECT IDENTIFIER ::= ( 
id-pkix id-alg(6) 28 


) 


sa-ecdhPop-sha512-hmac-sha512 SIGNATURE-ALGORITHM ::= { 
IDENTIFIER id-alg-ecdhPop-static-sha512-hmac-sha512 
VALUE DhSigStatic 
PARAMS ARE absent 
PUBLIC-KEYS ( pk-ec ) 


END 
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A.2. 1988 ASN.1 Module 


This appendix contains an ASN.1 module that is conformant with the 
1988 version of ASN.1, which represents an informational version of 
the ASN.1 module for this document. Where a difference exists 
between the module in this section and the 2008 module, the 2008 
module is the definitive module. 


DH-Sign 
{ iso(1) identified-organization(3) dod(6) internet (1) 
security(5) mechanisms(5) pkix(7) id-mod(0) 
id-mod-dhSign-2012-88(79) } 
DEFINITIONS IMPLICIT TAGS ::= 


BEGIN 

—- EXPORTS ALL 

-- The types and values defined in this module are exported for use 
—- in the other ASN.1 modules. Other applications may use them 

—- for their own purposes. 


IMPORTS 
IssuerAndSerialNumber, MessageDigest 
FROM CryptographicMessageSyntax2004 
{ iso(1) member-body(2) us(840) rsadsi (113549) pkcs (1) 
pkcs-9(9) smime(16) modules(0) cms-2004(24) } 


id-pkix 
FROM PKIXIExplicit88 
{ iso(1) identified-organization(3) dod(6) internet (1) 
security(5) mechanisms(5) pkix(7) id-mod(0) 
id-pkixl-explicit(18) ) 


Dss-Sig-Value, DomainParameters 
FROM PKIXIAlgorithms88 
{ iso(1) identified-organization(3) dod(6) internet (1) 
security(5) mechanisms (5) pkix(7) id-mod(0) 
id-mod-pkixl-algorithms (17) ); 


id-dh-sig-hmac-shal OBJECT IDENTIFIER ::= (id-pkix id-alg(6) 3) 
DhSigStatic ::= SEQUENCE ( 
issuerAndSerial IssuerAndSerialNumber OPTIONAL, 
hashValue MessageDigest 
) 
id-alg-dh-pop OBJECT IDENTIFIER ::= { id-pkix id-alg(6) 4 ) 
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id-dhPop-static-shal-hmac-shal OBJECT IDENTIFIER ::= 
id-dh-sig-hmac-shal 


id-alg-dhPop-static-sha224-hmac-sha224 OBJECT IDENTIFIER ::- { 
id-pkix id-alg(6) 15 } 


id-alg-dhPop-static-sha256-hmac-sha256 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 16 } 


id-alg-dhPop-static-sha384-hmac-sha384 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 17 } 


id-alg-dhPop-static-sha512-hmac-sha512 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 18 } 


id-alg-dhPop-shal OBJECT IDENTIFIER ::= id-alg-dh-pop 


id-alg-dhPop-sha224 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 5 } 


id-alg-dhPop-sha256 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 6 } 


id-alg-dhPop-sha384 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 7 } 


id-alg-dhPop-sha512 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 8 } 


id-algrecdhPop-static-sha224-hmac-sha224 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 25 } 


id-alg-ecdhPop-static-sha256-hmac-sha256 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 26 } 


id-alg-ecdhPop-static-sha384-hmac-sha384 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 27 } 


id-algrecdhPop-static-sha512-hmac-sha512 OBJECT IDENTIFIER ::= { 
id-pkix id-alg(6) 28 } 


END 
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endix B. Example of Static DH Proof-of-Possession 


The following example follows the steps described earlier in 
Section 4. 


Step l. Establishing common DH parameters: Assume the parameters are 
as in the DER-encoded certificate. The certificate contains a DH 
public key signed by a CA with a DSA signing key. 


30 939: SEQUENCE { 
30 872: SEQUENCE ( 
AO 3: [01 { 
02 l INTEGER 2 
: ) 
02 6: INTEGER 
00 DA 39 B6 E2 CB 
30 ll SEQUENCE ( 
06 F3 OBJECT IDENTIFIER dsaWithShal (1 2 840 10040 4 3) 
05 0: NULL 
: ) 
30 72: SEQUENCE ( 
31: ALÈ SET ( 
30 9: SEQUENCE ( 
06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 
1:3; VÆ PrintableString 'US' 
: } 
: } 
31 17: SET { 
30 15: SEQUENCE ( 
06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 
13 8: PrintableString 'XETI Inc” 
: } 
: ) 
34 16: SET ( 
30 14: SEQUENCE ( 
06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 
11) 
13 Te PrintableString 'Testing' 
} 
: ) 
31 “20: SET { 
30 18: SEQUENCE ( 
06 3 OBJECT IDENTIFIER commonName (2 5 4 3) 


I3- LL: PrintableString ’Root DSA CA’ 
: } 
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108 30 30: SEQUENCE { 
110 17 13: UTCTime '’9909140105572’ 
12517 138. UTCTime 9911130105572" 
: } 
140 30 70: SEQUENCE { 
142:31 113 SET ( 
144 30 9: SEQUENCE ( 
146 06 3:3 OBJECT IDENTIFIER countryName (2 5 4 6) 
151 13 2: PrintableString 'US' 
: ) 
: ) 
15531” ET SET ( 
157,30” I5; SEQUENCE ( 
159 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 
164 13 8: PrintableString 'XETI Inc” 
: ) 
: ) 
174 31 16: SET ( 
176 30 14: SEQUENCE ( 
178 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 
11) 
1:85:13 E PrintableString 'Testing' 
: ) 
: ) 
192 31. - 1:83 SET ( 
194 30 16: SEQUENCE { 
196 06 33 OBJECT IDENTIFIER commonName (2 5 4 3) 
201 13 9: PrintableString 'DH TestCA’ 
: ) 
) 
: } 
212-300 S772 SEQUENCE { 
216 30 438: SEQUENCE { 
220 06 Yes OBJECT IDENTIFIER dhPublickey (1 2 840 10046 2 1) 
229: 30::425: SEQUENCE { 


233 02 129: INTEGER 

: 00 94 84 EO 45 6C 7F 69 51 62 3E 56 80 7C 68 E7 
C5 A9 9E 9E 74 74 94 ED 90 8C ID C4 EI 4A 14 82 
F5 D2 94 OC 19 E3 B9 10 BB 11 B9 E5 A5 FB 8E 21 
51 63 02 86 AA 06 B8 21 36 B6 7F 36 DF D1 D6 68 
5B 79 7C 1D SA 14 75 IF 6A 93 75 93 CE BB 97 72 
8A FO OF 23 9D 47 F6 D4 B3 C7 FO F4 E6 F6 2B C2 
32 El 89 67 BE 7E 06 AE F8 DO 01 6B 8B 2A F5 02 
D7 B6 A8 63 94 83 BO 1B 31 7D 52 1A DE E5 03 85 
27 
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365 02 128: INTEGER 
: 26 A6 32 2C 5A 2B D4 33 2B 5C DC 06 87 53 3F 90 
06 61 50 38 3E D2 B9 7D 81 1C 12 10 C5 OC 53 D4 
64 DI 8E 30 07 08 8C DD 3F OA 2F 2C D6 1B 7F 57 
86 DO DA BB 6E 36 2A 18 E8 D3 BC 70 31 7A 48 B6 
4E 18 6E DD IF 22 06 EB 3F EA D4 41 69 D9 9B DE 
47 95 7A 72 91 D2 09 7F 49 5C 3B 03 33 51 C8 FI 
39 9A FF 04 D5 6E 7E 94 3D 03 B8 F6 31 15 26 48 
: 95 A8 5C DE 47 88 BA 69 3A 00 A7 86 9E DA D1 CD 
496 02 33: INTEGER 
ż 00 E8 72 FA 96 FO 11 40 F5 F2 DC FD 3B 5D 78 94 
B1 85 01 E5 69 37 21 F7 25 B9 BA 71 4A FC 60 30 
: FB 
531 02 97: INTEGER 
: 00 A3 91 01 CO A8 6E A4 4D AO 56 FC 6C FE IF A7 
BO CD OF 94 87 OC 25 BE 97 76 8D EB E5 A4 09 5D 
AB 83 CD 80 OB 35 67 7F OC 8E A7 31 98 32 85 39 
40 9D 11 98 D8 DE B8 7F 86 9B AF 8D 67 3D B6 76 
B4 61 2F 21 El 4B OE 68 FF 53 3E 87 DD D8 71 56 
68 47 DC F7 20 63 4B 3C SF 78 71 83 E6 70 9E E2 


2 92 
630 30 26: SEQUENCE ( 
632 03 21: BIT STRING O unused bits 
: IC D5 3A OD 17 82 6D OA 81 75 81 46 10 8E 3E DB 
è 09 E4 98 34 
655 02 l. INTEGER 55 
: } 
} 
g ) 
658 03 132: BIT STRING O unused bits 


02 81 80 5F CF 39 AD 62 CF 49 8E DI CE 66 E2 B1 
E6 A7 01 4D 05 C2 77 C8 92 52 42 AY 05 AZ DB EOQ 
46 79 50 A3 FC 99 3D 3D A6 9B AY AD BC 62 1C 69 
B7 11 A1 CO 2A FI 85 28 F7 68 FE D6 8F 31 56 22 
4D OA 11 6E 72 3A 02 AF OE 27 AA F9 ED CE 05 EF 
D8 59 92 CO 18 D7 69 6E BD 70 B6 21 D1 77 39 21 
El AF 7A 3A CF 20 OA B4 2C 69 5F CF 79 67 20 31 
AD F2 C6 ED 23 BF C4 BB 1E D1 71 40 2C 07 D6 FO 


8F C5 1A 
: ) 
793 A3 85: [3] { 
795 30 83: SEQUENCE { 
TOT “30 29% SEQUENCE { 
799 06 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 


804 04 22: OCTET STRING 
: 04 14 80 DF 59 88 BF EB 17 El AD 5E C6 40 A3 42 
E5 AC D3 B4 88 78 


Schaad & Prafullchandra Standards Track [Page 32] 


RFC 


828 
830 
35) 
835 
838 


864 
866 
871 
874 


880 
882 
891 


893 


6955 


30 34: 
06 3: 
01 T 
04 24: 
30 14: 
06 38 
01 dis 
04 4: 
30 is 
06 væ: 
05 O: 
03 48: 
Step 2. 
from the 


) 


SEQUENCE { 
OBJECT IDENTIFIER dsaWithShal 


} 


DH POP Algorithms 


SEQUENCE { 


OBJECT IDENTIFIER authorityKeyIdentifier 


BOOLEAN TRUE 
OCTET STRING 
30 16 80 14 6A 23 37 55 B9 FD 81 EA E8 4E D3 C9 
B7 09 E5 7B 06 E3 68 AA 


} 


SEQUENCE { 
OBJECT IDENTIFIER keyUsage 
BOOLEAN TRUE 
OCTET STRING 

03 02 03 08 


} 


NULL 


} 


BIT STRING 0 unused bits 


30 2D 02 14 7C 6D D2 CA IE 


06 8B 60 C7 61 16 3B CA 02 
58 29 A2 8A 67 64 03 92 AB 


} 


End entity DH public key: 


Ys: il-3 


DA 
93 
DI 
62 


63 
AE 
79 
2D 
B2 
4B 
BO 
09 


Al 
9E 
48 
9E 
IF 
F8 
CA 
JE 


85 
96 
BD 
50 
78 
B3 
2B 
OF 


04 
27 
2E 
c9 
2C 
EC 
6F 
11 


8C 
1:2 
34 
78 


B9 


81 
TA 
44 


46 
65 
B6 
OF 
77 
34 
8B 
8C 


End entity DH private key: 


X: 32 CC BD B4 B7 7c 44 
86 35 09 71 07 AO AZ 
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A8 
C4 
47 
AE 
E2 
AE 
DB 
El 


26 
76 


BB 
B8 


EB 
07 
04 
EC 
2B 
47 
8D 
A2 


3C 
DB 


Standards 


F4 
06 
30 
B5 
25 
52 
A5 
11 


83 
5F 


End entity/user generates a DH 
CA certificate. 


(1 


32 D1 
15 00 
02 CE 


(2 5 29 15) 


May 2013 


(2 5 29 


2 840 10040 4 3) 


30 2E 29 66 BC 
8A 18 DD C1 83 
00 BS 94 6A 


key pair using the parameters 


5E 
3E 
A1 
6B 
BF 
EO 
15 
9E 


42 
EC 


Track 


6E 
00 


93 
FE 
33 
BE 
OB 
29 
TE 
EF 


7D 
CE 


74 
94 
FD 
B2 
59 
98 
AF 
B2 


1B 
6F 


AE 
B8 
1A 
5C 
4A 
EC 
33 
E8 


00 
C3 
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Step 3. Compute the shared secret ZZ. 


56 b6 01 39 42 8e 09 16 30 bO 31 4d 12 90 af 03 
c7 92 65 c2 9c ba 88 bb Da dd 94 02 ed 6f 54 cb 
22 e5 94 b4 d6 60 72 bc f6 a5 2b 18 8d df 28 72 
ac e0 41 dd 3b 03 2a 12 9e 5d bd 72 a0 le fb 6b 
ee c5 b2 16 59 ee 12 00 3b c8 e0 cb c5 08 8e 2d 
40 5f 2d 37 62 8c 4f bb 49 76 69 3c 9e fc 2c f7 
f9 50 cl b9 f7 01 32 4c 96 b9 c3 56 cO 2c 1b 77 
3f 2f 36 e8 22 c8 2e 07 76 d0 4f 7f aa d5 c0 59 


Step 4. Compute K and the signature. 


LeadingInfo: DER-encoded Subject/Requester Distinguished Name (DN), 
as in the generated Certificate Signing Request 


30 46 31 OB 30 09 06 03 55 04 06 13 02 55 53 31 
11 30 OF 06 03 55 04 OA 13 08 58 45 54 49 20 49 
6E 63 31 10 30 OF 06 03 55 04 OB 13 07 54 65 73 
74 69 6E 67 31 12 30 10 06 03 55 04 03 13 09 44 
48 20 54 65 73 74 43 41 


TrailingInfo: DER-encoded Issuer/recipient DN (from the certificate 
described in step 1) 


30 48 31 OB 30 09 06 03 55 04 06 13 02 55 53 31 
11 30 OF 06 03 55 04 OA 13 08 58 45 54 49 20 49 
6E 63 31 10 30 OF 06 03 55 04 OB 13 07 54 65 73 
74 69 6E 67 31 14 30 12 06 03 55 04 03 13 OB 52 
6F 6F 74 20 44 53 41 20 43 41 


B1 91 D7 DB 4F C5 EF EF AC 9A C5 44 5A 6D 42 28 
DC 70 7B DA 
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TBS: 


30 
04 
08 
04 
03 
6C 
07 
94 
A9 
D2 
63 
79 
FO 
El 
B6 
02 
53 
oc 
1B 
TA 
D9 
si 
1:5 
DA 
FD 
71 
AD 
97 
oc 
86 
FF 
SF 
3A 
98 
04 
27 
2E 
C9 
2C 
EC 
6F 
11 
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the "text" for computing the SHA-1 HMAC. 


82 02 98 02 01 00 30 4E 31 OB 30 09 06 
06 13 02 55 53 31 11 30 OF 06:03 55 04 
58 45 54 49 20 49 6E 63 31 10 30 OE 06 
OB 13 07 54 65 73 74 69 6E 67 31 1A 30 
55 04 03 13 11 50 4B 49 58 20 45 78 61 
65 20 55 73 65 72 30 82 02 41 30 82 01 
2A 86 48 CE 3E 02 01 30 82 01 AY 02 81 
84 EO 45 6C 7F 69 51 62 3E 56 80 7C 68 
9E 9E 74 74 94 ED 90 8C 1D C4 EI 4A 14 
94 OC 19 E3 B9 10 BB 11 B9 E5 A5 FB 8E 
02 86 AA 06 B8 21 36 B6 7F 36 DF D1 D6 
7C 1D 5A 14 75 IF 6A 93 75 93 CE BB 97 
OF 23 9D 47 F6 DA B3 C7 FO F4 E6 F6 2B 
89 67 BE 7E 06 AE F8 DO 01 6B 8B 2A F5 
A8 63 94 83 BO 1B 31 7D 52 1A DE E5 03 
81 80 26 A6 32 2C 5A 2B D4 33 2B 5C DC 
3F 90 06 61 50 38 3E D2 BY 7D 81 1C 12 
53 D4 64 DI 8E 30 07 08 8C DD 3F OA 2F 
IF 57 86 DO DA BB 6E 36 2A 18 E8 D3 BC 
48 B6 4E 18 6E DD 1F 22 06 EB 3F EA D4 
9B DE 47 95 7A 72 91 D2 09 7F 49 5C 3B 
C8 FI 39 9A FF 04 D5 6E 7E 94 3D 03 B8 
26 48 95 A8 5C DE 47 88 B4 69 3A 00 A7 
DI CD 02 21 OO E8 72 FA 96 FO 11 40 F5 
3B 5D 78 94 BI 85 01 ES 69 37 21 F7 25 
4A FC 60 30 FB O2 61 00 A3 91 01 CO A8 
AO 56 FC 6C FE IF A7 BO CD OF 94 87 OC 
76 8D EB E5 A4 09 5D AB 83 CD 80 OB 35 
8E A7 31 98 32 85 39 40 9D 11 98 D8 DE 
9B AF 8D 67 3D B6 76 BA 61 2F 21 El 4B 
53 3E 87 DD D8 71 56 68 47 DC F7 20 63 
78 71 83 E6 70 9E E2 92 30 IA 03 15 00 
OD 17 82 6D OA 81 75 81 46 10 8E 3E DB 
34 02 01 37 03 81 84 00 02 81 80 13 63 
8C 46 A8 88 EB F4 5E A8 93 74 AE FD AE 
12 65 C4 4C 07 06 3E 18 FE 94 B8 A8 79 
34 B6 47 CA 04 30 Al EC 33 FD 1A OB 2D 
78 OF AE 6A EC B5 6B 6A BE B2 5C DA B2 
B9 77 E2 79 2B 25 BF 2E OB 59 4A 93 4B 
81 34 AE 97 47 52 EO A8 29 98 EC D1 BO 
7A 8B DB 4E 8D A5 15 7E 7E AF 33 62 09 
44 8C CI 8D A2 11 9E 53 EF B2 E8 
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03 
OA 
03 
18 
6D 
B6 
81 
E7 
82 
Zak 
68 
72 
C2 
02 
85 
06 
10 
2C 
70 
41 
03 
F6 
86 
F2 
B9 
6E 
25 
67 
B8 
OE 
4B 
Ye 
09 
Al 
9E 
48 
9E 
9F 
F8 
CA 
9E 


593 
13 
55 
06 
70 
06 
00 
C5 
F5 
Di 
5B 
8A 
32 
D7 
27 
87 
C5 
D6 
31 
69 
33 
31 
9E 
DC 
BA 
A4 
BE 
TE 
TE 
68 
3C 
D5 
E4 
85 
96 
BD 
50 
78 
B3 
2B 
OF 
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Certification Request: 


54 


63 
65 
67 
72 


91 
95 
99 
108 
112 


30 
30 
02 
30 
31 
30 
06 
13 


31 
30 
06 
13 


31 
30 
06 


13 


31 
30 
06 
13 


30 
30 
06 
30 
02 


L938 
664: 
l 
78: 
LE: 
9: 
Bis 
2: 


16: 
14: 


577: 
438: 

7: 
4253 
129: 


SEQUENCE { 
SEQUENCE 
INTEGER 


{ 
0 


SEQUENCE { 


SET { 


SEQUENCE { 
OBJECT IDENTIFIER countryName 
PrintableString 'US' 


} 
} 
SET { 


SEQUENCE { 


DH POP Algorithms 


(2 5 4 6) 


OBJECT IDENTIFIER organizationName 


PrintableString ’XETI Inc’ 


} 
} 
SET { 


SEQUENCE { 


May 2013 


(2 5 4 10) 


OBJECT IDENTIFIER organizationalUnitName 


11) 


PrintableString ’Testing’ 


} 

} 
SET { 
SEQ 


O 
PrintableString 'PKIX Example User’ 


} 
} 
} 


UENCE { 
BJECT IDENTIFIER commonName 


SEQUENCE { 
SEQUENCE { 
OBJECT IDENTIFIER dhPublicKey 


SEQUENCE { 


INTEGER 
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00 
C5 
F5 
31 
5B 
8A 
32 
D7 
27 


94 
A9 
D2 
63 
79 
FO 
El 
B6 


84 
9E 
94 
02 
7C 
OF 
89 
A8 


EO 
9E 
oc 
86 
1D 
23 
67 
63 


6C 
74 
E3 
06 
14 
477 
TE 
83 
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69 
ED 
10 
21 
1F 
D4 
AE 
1B 


(2 5 4 3) 


62 
8C 
1:1 
B6 
93 
C7 
DO 
7D 


3E 
1D 
B9 
TE 
75 
FO 
01 
52 


56 
C4 
E5 
36 
93 
F4 
6B 
1A 


80 
E1 
A5 
DF 
CE 
E6 
8B 
DE 


(254 


7C 
4A 
FB 
D1 
BB 
F6 
2A 
ES 


(1 2 840 10046 2 1) 


68 
14 
8E 
D6 
97 
2B 
F5 
03 


E7 
82 
21 
68 
72 
C2 
02 
85 
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244 02 128: INTEGER 
ż 26 A6 32 2C 5A 2B D4 33 2B 5C DC 06 87 53 3F 90 
06 61 50 38 3E D2 B9 7D 81 1C 12 10 C5 OC 53 D4 
64 DI 8E 30 07 08 8C DD 3F OA 2F 2C D6 IB 7F 57 
86 DO DA BB 6E 36 2A 18 E8 D3 BC 70 31 7A 48 B6 
4E 18 6E DD IF 22 06 EB 3F EA D4 41 69 D9 9B DE 
47 95 7A 72 91 D2 09 7F 49 5C 3B 03 33 51 C8 FI 
39 9A FF 04 D5 6E 7E 94 3D O3 B8 F6 31 15 26 48 
: 95 A8 5C DE 47 88 BA 69 3A OO A7 86 9E DA D1 CD 
375-02 3388 INTEGER 
: 00 E8 72 FA 96 FO 11 40 F5 F2 DC FD 3B 5D 78 94 
B1 85 01 E5 69 37 21 F7 25 B9 BA 71 4A FC 60 30 
: FB 
410 02 97: INTEGER 
: 00 A3 91 01 CO A8 6E A4 4D AO 56 FC 6C FE IF A7 
BO CD OF 94 87 OC 25 BE 97 76 8D EB E5 A4 09 5D 
AB 83 CD 80 OB 35 67 7F OC 8E A7 31 98 32 85 39 
40 9D 11 98 D8 DE B8 7F 86 9B AF 8D 67 3D B6 76 
BA 61 2F 21 El 4B OE 68 FF 53 3E 87 DD D8 71 56 
68 47 DC F7 20 63 4B 3C 5F 78 71 83 E6 70 9E E2 


: 92 
509 30 26: SEQUENCE { 


511. 03° 2143 BIT STRING O unused bits 
: IC D5 3A OD 17 82 6D OA 81 75 81 46 10 8E 3E 
$ DB 09 E4 98 34 
534 02 1: INTEGER 55 
: } 
} 
: } 
537 03 132: BIT STRING O unused bits 
e 02 81 80 13 63 Al 85 04 8C 46 A8 88 EB F4 5E A8 
93 74 AE FD AE 9E 96 27 12 65 C4 4C 07 06 3E 18 
FE 94 B8 A8 79 48 BD 2E 34 B6 47 CA 04 30 Al EC 
33 FD 1A OB 2D 9E 50 C9 78 OF AE 6A EC B5 6B 6A 
BE B2 5C DA B2 9F 78 2C B9 77 E2 79 2B 25 BF 2E 
OB 59 4A 93 4B F8 B3 EC 81 34 AE 97 47 52 EO A8 
29 98 EC D1 BO CA 2B 6F 7A 8B DB 4E 8D A5 15 7E 
7E AF 33 62 09 9E OF 11 44 8C C1 8D A2 11 9E 53 


EF B2 E8 
} 
: ) 
672 30 12: SEQUENCE ( 
674 06 8: OBJECT IDENTIFIER dh-sig-hmac-shal (1 3 6 1 5 5 7 6 3) 


684 05 0: NULL 
: ) 
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686 03 109: BIT STRING O unused bits 

3 30 6A 30 52 30 48 31 OB 30 09 06 03 55 04 06 13 
02 55 53 31 11 30 OF 06 03 55 04 OA 13 08 58 45 
54 49 20 49 6E 63 31 10 30 OF 06 03 55 04 OB 13 
07 54 65 73 74 69 6E 67 31 14 30 12 06 03 55 04 
03 13 OB 52 6F 6F 74 20 44 53 41 20 43 41 02 06 
00 DA 39 B6 E2 CB 04 14 2D 05 77 FE 5E 8F 65 F5 
AF AD C9 5C 9B 02 CO A8 88 29 61 63 

} 


Signature verification requires CA’s private key, the CA certificate, 
and the generated Certification Request. 


CA DH private key: 


x: 3E 5D AD FD E5 F4 6B IB 61 5E 18 F9 OB 84 74 a7 
52 1E D6 92 BC 34 94 56 F3 OC BE DA 67 7A DD 7D 


Appendix C. Example of Discrete Log Signature 
Step 1. Generate a DH key with length of q being 256 bits. 


p: 
94 84 EO 45 6C 7F 69 51 62 3E 56 80 7C 
A9 9E 9E 74 74 94 ED 90 8C 1D C4 El 4A 
D2 94 OC 19 E3 B9 10 BB 11 B9 E5 A5 FB 


68 E7 C5 

1 

8 
63 02 86 AA 06 B8 21 36 B6 7F 36 DF D1 D 

9 

2 


8 

4 82 F5 
E 21 51 
6 
7 


68 5B 
79 7C 1D 5A 14 75 1F 6A 93 75 93 CE BB 72 8A 
FO OF 23 9D 47 F6 DA B3 C7 FO F4 E6 F6 2B C2 32 
El 89 67 BE 7E 06 AE F8 DO 01 6B 8B 2A F5 02 D7 
B6 A8 63 94 83 BO 1B 31 7D 52 1A DE E5 03 85 27 


E8 72 FA 96 FO 11 40 F5 F2 DC FD 3B 5D 78 94 B1 
85 01 E5 69 37 21 F7 25 B9 BA 71 4A FC 60 30 FB 


26 A6 32 2C 5A 2B D4 33 2B 5C DC 06 87 53 3F 90 
06 61 50 38 3E D2 B9 7D 81 IC 12 10 C5 OC 53 D4 
64 DI 8E 30 07 08 8C DD 3F OA 2F 2C D6 1B 7F 57 
86 DO DA BB 6E 36 2A 18 E8 D3 BC 70 31 7A 48 B6 
4E 18 6E DD IF 22 06 EB 3F EA D4 41 69 D9 9B DE 
47 95 7A 72 91 D2 09 7F 49 5C 3B 03 33 51 C8 F1 
39 9A FF 04 D5 6E 7E 94 3D 03 B8 F6 31 15 26 48 
95 A8 5C DE 47 88 B4 69 3A 00 A7 86 9E DA D1 CD 
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A3 91 01 CO A8 6E A4 4D AO 56 FC 6C FE IF A7 BO 
CD OF 94 87 OC 25 BE 97 76 8D EB E5 A4 09 5D AB 
83 CD 80 OB 35 67 7F OC 8E A7 31 98 32 85 39 40 
9D 11 98 D8 DE B8 7F 86 9B AF 8D 67 3D B6 76 B4 
61 2F 21 EI 4B OE 68 FF 53 3E 87 DD D8 71 56 68 
47 DC F7 20 63 4B 3C 5F 78 71 83 E6 70 9E E2 92 


kk 


CF 39 AD 62 CF 49 8E DI CE 66 E2 Bl E6 A7 01 
05 C2 77 C8 92 52 42 A9 05 A4 DB EO 46 79 50 
FC 99 3D 3D A6 9B A9 AD BC 62 1C 69 B7 11 Al 
2A FI 85 28 F7 68 FE D6 8F 31 56 22 4D OA 11 
72 3A 02 AF OE 27 AA F9 ED CE 05 EF D8 59 92 
18 D7 69 6E BD 70 B6 21 DI 77 39 21 El AF 7A 
CF 20 OA B4 2C 69 5F CF 79 67 20 31 4D F2 C6 
23 BF CA BB 1E DI 71 40 2C 07 D6 FO 8F C5 1A 


OUOPOHOWU 


n 
(0) 
E HWQAVOQPA. 01 


m 
Q 


D5 3A OD 17 82 6D OA 81 75 81 46 10 8E 3E DB 
09 E4 98 34 


Ci 
00000037 


3E 5D AD FD E5 F4 6B IB 61 SE 18 F9 OB 84 74 a7 
E D6 92 BC 34 94 56 F3 OC BE DA 67 7A DD 7D 


Step 2. Form the value to be signed and hash with SHAl. The result 
of the hash for this example is: 


5f a2 69 b6 4b 22 91 22 6f 4c fe 68 ec 2b di c6 
d4 21 e5 2c 


Step 3. The hash value needs to be expanded, since [a] = 256. This 
is done by hashing the hash with SHA1 and appending it to the 
original hash. The value after this step is: 


5f a2 69 b6 4b 22 91 22 6f 4c fe 68 ec 2b di c6 


d4 21 e5 2c 64 92 8b c9 5e 34 59 70 bd 62 40 ad 
6f 26 3b f7 1c a3 b2 cb 
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Next, 
"hash 
done, 


Step 
value 


s: 


DH POP Algorithms 


May 2013 


the first 255 bits of this value are taken to be the resulting 


" value. 


Note that in this case a shift of one bit right is 
since the result is to be 


2£ di 34 db 25 91 
6a 10 £2 96 32 49 


4. 
S; 


66 


The signature 


59 40 


EF 


B4 90 01 34 
D2 10 BF 86 


45 BC 6F OD 
B2 FF 06 40 


48 
45 


val 


6B 
58 


DC 
9A 


91 
e4 


ue 


AO 
87 


FF 
39 


37 
af 


is 


31 
F7 


9D 
68 


treated as an integer: 


a6 7f 34 
la 2c b8 


computed. 


6A 73 


BC 


DD 
75 


6E 


40 
81 


The encoded signature value is then: 


30 
F5 
SA 
JI 
To 


45 
7D 
77 
40 
81 


02 
F6 
FF 
1E 
FT 


Result: 


30 
17 
58 
06 
00 
c5 
£5 
51 
5b 
8a 
32 
d7 
27 
87 
c5 
d6 
31 
69 
33 
31 
Je 


82 
06 
20 
07 
94 
a9 
d2 
63 
79 
£0 
el 
b6 
02 
53 
Oc 
1b 
Ta 
ag 
51 
15 
da 


21 
5C 
C3 
C4 
EC 


02 
03 
59 
2a 
84 
Je 
94 
02 
EG 
Of 
89 
a8 
81 
3f 
53 
TE 
48 
9b 
c8 
26 
dl 


00 
14 
4B 
9E 
9E 


c2 
55 
41 
86 
e0 
9e 
Oc 
86 
ld 
23 
67 
63 
80 
90 
a4 
57 
b6 
de 
f1 
48 
cd 


Al 
43 
02 
51 
BE 


30 
04 
4d 
48 
45 
74 
1:9 
aa 
5a 
9d 
be 
94 
26 
06 
64 
86 
4e 
47 
39 
95 
02 
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B5 
52 
20 
3D 
Al 


82 
03 
50 
ce 
6c 
74 
e3 
06 
14 
47 
7e 
83 
a6 
61 
d1 
ao 
18 
95 
9a 
a8 
21 


B4 
D2 
59 
66 


02 
13 
4c 
3e 
TE 
94 
b9 
b8 
75 
f6 
06 
bo 
32 
50 
8e 
da 
6e 
7a 
tf 
5c 
00 


90 01 34 
10 BF 86 
40 45 BC 
EF B2 FF 


67 
10 
45 
02 
69 
ed 
10 
21 
1f 
d4 
ae 
1b 
2c 
38 
30 
bb 
dd 
72 
04 
de 
e8 
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02 
49 
30 
01 
5:1; 
90 
bb 
36 
6a 
b3 
£8 
31 
5a 
3e 
07 
6e 
1f 
91 
d5 
47 
72 


01 
45 
82 
30 
62 
8c 
al. 
b6 
93 
c7 
do 
7d 
2b 
d2 
08 
36 
22 
d2 
6e 
88 
fa 


6B A0 31 6A 73 
58 87 F7 BC 6E 
6F OD DC FF 9D 
06 40 9A 39 68 


00 
54 
02 
82 
3e 
ld 
b9 
TE 
75 
£0 
01 
52 
d4 
b9 
8c 
2a 
06 
09 
7e 
b4 
96 


F5 
5A 


1E 
E7 


30 
46 
41 
01 
56 
c4 
e5 
36 
93 
f4 
6b 
la 
33 
Id 
dd 
18 
eb 
TE 
94 
69 
£0 


76 15 e8 e3 
Se bi 20 56 


7D 
77 


C4 
EC 


1b 
20 
30 
a9 
80 
el 
ab 
df 
ce 
e6 
8b 
de 
2b 
81 
3f 
e8 
3f 
49 
3d 
3a 
ET 


F6 
FF 


9E 
9E 


31 
50 
82 
02 
Te 
da 
fb 
al 
bb 
f6 
2a 
e5 
5c 
le 
Oa 
a3 
ea 
5c 
03 
00 
40 


5C 
€3 


51 
BE 


19 
4b 
01 
81 
68 
14 
8e 
d6 
97 
2b 
£5 
03 
de 
12 
ZÈ 
bc 
a4 
3b 
b8 
a7 
£5 


In this case, 


14 
4B 


3D 
Al 


30 
49 
b6 
81 
e7 
82 
21 
68 
72 
c2 
02 
85 
06 
10 
2c 
70 
41 
03 
f6 
86 
f2 


you get the 
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dc fd 3b 5d 78 94 bi 85 01 e5 69 37 21 f7 25 b9 
ba 71 4a fc 60 30 fb 02 61 00 a3 91 01 c0 a8 6e 
a4 4d a0 56 fc 6c fe 1f a7 bO cd Of 94 87 Oc 25 
be 97 76 8d eb e5 a4 09 5d ab 83 cd 80 Ob 35 67 
7f Oc 8e a7 31 98 32 85 39 40 9d 11 98 d8 de b8 
7f 86 9b af 8d 67 3d b6 76 b4 61 2f 21 el 4b Oe 
68 ff 53 3e 87 dd d8 71 56 68 47 dc f7 20 63 4b 
3c 5f 78 71 83 e6 70 9e e2 92 30 la 03 15 00 ic 
d5 3a 0d 17 82 6d Oa 81 75 81 46 10 8e 3e db 09 
e4 98 34 02 01 37 03 81 84 00 02 81 80 5f cf 39 
ad 62 cf 49 8e dl ce 66 e2 bl e6 a7 01 4d 05 c2 
77 c8 92 52 42 a9 05 a4 db e0 46 79 50 a3 fc 99 
3d 3d a6 9b a9 ad be 62 lc 69 b7 11 al cO 2a fl 
85 28 £7 68 fe d6 8f 31 56 22 4d 0a 11 6e 72 3a 
02 af Oe 27 aa f9 ed ce 05 ef d8 59 92 c0 18 d7 
69 6e bd 70 b6 21 di 77 39 21 el af 7a 3a cf 20 
Oa b4 2c 69 5f cf 79 67 20 31 4d f2 c6 ed 23 bf 
c4 bb le di 71 40 2c 07 d6 fO 8f c5 la a0 00 30 
Oc 06 08 2b 06 01 05 05 07 06 04 05 00 03 47 00 
30 44 02 20 54 d9 43 8d Of 9d 42 03 d6 09 aa al 
9a 3c 17 09 ae bd ee b3 di a0 00 db 7d 8c b8 e4 
56 e6 57 Tb 02 20 44 89 bi 04 f5 40 2b 5f e7 9c 
f9 a4 97 50 Od ad c3 7Ta a4 2b b2 2d 5d 79 fb 38 
8a b4 df bb 88 bc 


Decoded version of result: 


0 30 707: SEQUENCE { 


4 30 615: SEQUENCE ( 
8 02 des INTEGER 0 
11 30 27: SEQUENCE ( 
13 31 25% SET { 
15 30 23: SEQUENCE ( 
17 06 ER OBJECT IDENTIFIER commonName (2 5 4 3) 
22713 16: PrintableString 'IETF PKIX SAMPLE' 
: } 
} 
l ) 
40 30 577 SEQUENCE ( 
44 30 438: SEQUENCE ( 
48 06 F3 OBJECT IDENTIFIER dhPublicNumber (1 2 840 10046 2 


1) 


Schaad & Prafullchandra Standards Track [Page 41] 


RFC 6955 DH POP Algorithms Mav 2013 


57 30 425: SEQUENCE ( 
61 02 129: INTEGER 
: 00 94 84 EO 45 6C 7F 69 51 62 3E 56 80 7C 68 E7 
C5 A9 9E 9E 74 74 94 ED 90 8C 1D C4 El 4A 14 82 
F5 D2 94 OC 19 E3 B9 10 BB 11 B9 E5 A5 FB 8E 21 
51 63 02 86 AA 06 B8 21 36 B6 7F 36 DF D1 D6 68 
5B 79 7C 1D 5A 14 75 1F 6A 93 75 93 CE BB 97 72 
8A FO OF 23 9D 47 F6 D4 B3 C7 FO F4 EG F6 2B C2 
32 E1 89 67 BE 7E 06 AE F8 DO 01 6B 8B 2A F5 02 
D7 B6 A8 63 94 83 BO 1B 31 7D 52 1A DE E5 03 85 
: 27 
193 02 128: INTEGER 
$ 26 A6 32 2C 5A 2B D4 33 2B 5C DC 06 87 53 3F 90 
06 61 50 38 3E D2 B9 7D 81 1C 12 10 C5 OC 53 D4 
64 DI 8E 30 07 08 8C DD 3F QA 2F 2C D6 1B 7F 57 
86 DO DA BB 6E 36 2A 18 E8 D3 BC 70 31 7A 48 B6 
4E 18 6E DD IF 22 06 EB 3F EA D4 41 69 D9 9B DE 
47 95 7A 72 91 D2 09 7F 49 5C 3B 03 33 51 C8 Fl 
39 9A FF 04 D5 6E 7E 94 3D 03 B8 F6 31 15 26 48 
: 95 A8 5C DE 47 88 BA 69 3A 00 A7 86 9E DA D1 CD 
324 02 33: INTEGER 
: 00 E8 72 FA 96 FO 11 40 F5 F2 DC FD 3B 5D 78 94 
B1 85 01 E5 69 37 21 F7 25 B9 BA 71 4A FC 60 30 
: FB 
359 02 97: INTEGER 
: 00 A3 91 01 CO A8 6E A4 4D AO 56 FC 6C FE 1F A7 
BO CD OF 94 87 OC 25 BE 97 76 8D EB E5 A4 09 5D 
AB 83 CD 80 OB 35 67 7F OC 8E A7 31 98 32 85 39 
40 9D 11 98 D8 DE B8 7F 86 9B AF 8D 67 3D B6 76 
BA 61 2F 21 El 4B OE 68 FF 53 3E 87 DD D8 71 56 
68 47 DC F7 20 63 4B 3C 5F 78 71 83 E6 70 9E E2 


i 92 

458 30 26: SEQUENCE ( 

460 03 21: BIT STRING 0 unused bits 
$ 1C D5 3A OD 17 82 6D OA 81 75 81 46 10 8E 3E DB 
$ 09 E4 98 34 

483 02 Ls INTEGER 55 


} 
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486 03 132: BIT STRING O unused bits 
$ 02 81 80 5F CF 39 AD 62 CF 49 8E DI CE 66 E2 Bl 
E6 A7 01 4D 05 C2 77 C8 92 52 42 A9 05 A4 DB EO 
46 79 50 A3 FC 99 3D 3D A6 9B A9 AD BC 62 IC 69 
B7 11 Al CO 2A FI 85 28 F7 68 FE D6 8F 31 56 22 
4D DA 11 6E 72 3A 02 AF OE 27 AA F9 ED CE 05 EF 
D8 59 92 CO 18 D7 69 6E BD 70 B6 21 D1 77 39 21 
El AF 7A 3A CF 20 OA B4 2C 69 5F CF 79 67 20 31 
4D F2 C6 ED 23 BF C4 BB 1E D1 71 40 2C 07 D6 FO 


8F C5 1A 

: } 
621 AO O: [0] 

: } 
623 30 12% SEQUENCE { 
625 06 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 6 4' 
635 05 O: NULL 

: ) 
637 03 ZE BIT STRING O unused bits 


30 45 02 21 00 Al B5 BA 90 01 34 6B A0 31 6A 73 
F5 7D F6 5C 14 43 52 D2 10 BF 86 58 87 F7 BC 6E 
5A 77 FF C3 4B 02 20 59 40 45 BC 6F OD DC FF 9D 
55 40 1E C4 9E 51 3D 66 EF B2 FF 06 40 9A 39 68 
75 81 F7 EC 9E BE Al 

) 
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